In our first post in this series, we explained why privacy matters at Storj — and why it’s integral to the software we build, the services we provide, and the policies we support.
Our second post focuses on the complex web of local, regional, and international laws regulating how personal information is stored and managed. The key data privacy issues for Storj are how we ensure regulatory compliance with our users’ personal information and how users who build solutions on Storj should approach storing data that may be subject to privacy regulations.
Privacy in Perspective
What do we mean when we say data privacy?
The American Institute of Certified Public Accountants defines privacy as encompassing the rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure, and disposal of personal information.
When you think about personal information or personally identifiable information (PI or PII), you might think of obvious examples like a social security number or date of birth. Still, in practice, personal information is much more broadly defined. It encompasses any information that identifies, relates to, describes, and/or is capable of being associated with or could reasonably be linked directly or indirectly with a particular consumer or household. That includes your email address, IP address, a photograph or video of you, your religious beliefs, health information, biometric information, and the list goes on.
If your business collects email addresses as a requirement to use your services, you’re collecting personal information. When you collect resumes from job applicants, you’re collecting and storing personal information. Collecting and using any type of personal information requires compliance with data privacy regulations. Before we get into the details of these regulations, here are some common regulatory terms.
Common Data Privacy Regulatory Terms
- Regulated party: the party or the entities to which the regulation applies
- Regulated data: the data (typically PII) to which the regulatory framework applies and the steps that have to be taken to protect that data in transit and at rest
- Rights of the data owner: rights relative to data including ownership, access, use, and destruction
- Data subject: each of us is a data subject as defined by data that personally identifies us
- Data controller: the organization or individual with authority to decide how and why data relating to data subjects is to be processed and which is responsible for reporting a data breach to authorities
- Data processor: the organization or individual who processes data on behalf of the data controller
- Supervisory authority: the agency or entity that enforces data processing regulations
The EU, GDPR & Cross Border Data Transfers
The first data privacy regulation that usually comes to mind for most people is GDPR, which is the General Data Protection Regulation, which went into effect in May 2018. It replaced and expanded the 1995 EU (European Union) data protection directive and is considered not only the first global data privacy regulation but also the most stringent. It provides strong data subject rights for EU residents and their data processing wherever it occurs, even outside the EU.
The GDPR requires EU organizations that process data on a large scale to have a data protection officer. It also has stringent data breach notification requirements, including reporting any breaches within 24 hours of becoming aware of one. Under the GDPR, an organization has 30–45 days to grant a request for the handling or disposal of data.
Although the GDPR doesn’t extend to U.S. residents, it does have a spillover effect. For simplicity and cost savings, many U.S. companies extend the protections of GDPR to all of their customers because it becomes a burden to figure out who’s subject to GDPR and who isn’t. Sometimes it’s cheaper and simpler to apply it across the board, so some entities with both EU and non-EU customers may offer GDPR protections to all their customers.
Even with the GDPR, regulations around cross-border data transfers are still in flux. In 2020, the EU’s highest court invalidated the EU-U.S. Privacy Shield Framework through rulings in the Schrems cases (a series of cases involving Max Schrems, an Austrian privacy advocate against Facebook). The 2020 ruling gutted standard mechanisms that companies relied on, requiring businesses to be even more vigilant with changes in the law and how they handle data.
Current & Pending U.S. Regulation
The U.S. has no single comprehensive national data privacy law like the GDPR. Still, the right to privacy is protected in over 600 laws in the United States, and there are also a multitude of federal laws that impact privacy rights, some falling under the umbrella of consumer protection. Since the 1970s, the Federal Trade Commission has enforced actions to protect U.S. consumers from unfair and deceptive practices. So while there’s no GDPR in the USA, there are still data privacy protections and enforcement.
The most well-known state privacy law in the U.S. is the California Consumer Protection Act of 2018 (CCPA). This law applies to companies everywhere that store or process data for California residents and that fall into any of the following three categories:
- Has gross annual revenue of at least $25 million
- Buys, receives, or sells the personal data of at least 50,000 California residents, households, or devices
- Receives 50% of annual revenue from selling California residents’ personal information
The CCPA gives individuals who are protected by the law the right to know the personal information that a business collects, to understand how it’s used and shared, to have it deleted, the right to opt-out, and the right to non-discrimination for exercising rights under the CCPA. It gives Californians the right to sue companies that use their stolen data, and if a data breach discloses their data, it also gives them the right to sue companies that were negligent in handling the data.
Beyond California, other U.S. states with similar data privacy laws are Colorado and Virginia. Active bills are pending in several other states, including New York and Minnesota.
Common Themes in Data Privacy Frameworks
Businesses and developers must be aware of data privacy laws and regulations. While it’s impossible to follow every detail and every development, there are some common themes across these frameworks that are worth noting:
- Data type. This determines which regulatory framework applies. For example, medical data is subject to HIPAA, the Health Insurance Portability and Accountability Act.
- Data subject residency. As with the type of data, a data subject’s residency affects regulatory oversight. For example, all EU residents are protected under the GDPR.
- Data usage restrictions. When data is transferred between third parties, that transfer is typically governed by a contract describing what can and can’t be done with the data (such as aggregation and sale).
Because these regulatory frameworks are primarily geared toward 1:1 data transfer between third parties using a centralized storage model, they require an element of trust that the data won’t be misused. That’s in stark contrast to decentralized storage, which requires zero trust.
Next in the Series: Privacy & Decentralization
As Web 3.0 emerges, there are some interesting intersections regarding how data privacy regulations apply (or don’t apply) to decentralized cloud storage.
In our next post, we’ll focus on how decentralization enables applications to be more private and more secure because it’s designed to eliminate trust between third parties.
Did you miss our first post in this series? You can read it here.
Ready to try Storj DCS? Sign up for free.